CVE-2025-12738 | THREATINT

Description

Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are vulnerable to a potential information disclosure by an attacker who has some legitimate access to the database. The vulnerability allows attacker without read access to a property to infer information about its value by trying to enumerate all possible values through observing error messages of SET property. We recommend upgrading to 2025.11.2 or 5.26.17 and above, where the issues is fixed.

PUBLISHED Reserved 2025-11-05 | Published 2026-01-22 | Updated 2026-01-22 | Assigner Neo4j

LOW: 1.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/V:D

Problem types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status

unaffected

Any version before 2025.11.2

affected

Any version before 5.26.17

affected

References

neo4j.com/security/CVE-2025-12738 vendor-advisory

cve.org (CVE-2025-12738)

nvd.nist.gov (CVE-2025-12738)

Download JSON